[[Image:timestomp_mace.jpg|thumb|100px|right|Timestomp MACE Values]] Timestomp is a utility co-authored by developers [[James C. Foster]] and [[Vincent Liu]]. The software's goal is to allow for the deletion or modification of [[MAC times|time stamp-related information]] on files.

+

[[Image:timestomp_mace.jpg|thumb|100px|right|Timestomp MACE Values]] '''Timestomp''' is a utility co-authored by developers [[James C. Foster]] and [[Vincent Liu]]. The software's goal is to allow for the deletion or modification of [[MAC times|time stamp-related information]] on files.

Take for example the "Timestomp MACE Values" screenshot displaying a command prompt window displaying the MACE values for a document file titled "text.txt". There are (4) four date time and date stamps displayed that are useful to Forensic Examiners in reconstructing when data was last modified, accessed, created, or entered into the [[NTFS]] Master File Table by the operating system or manually by the user.

Take for example the "Timestomp MACE Values" screenshot displaying a command prompt window displaying the MACE values for a document file titled "text.txt". There are (4) four date time and date stamps displayed that are useful to Forensic Examiners in reconstructing when data was last modified, accessed, created, or entered into the [[NTFS]] Master File Table by the operating system or manually by the user.

−

[[Image:timestomp_mace_change.jpg|thumb|100px|right|Timestomp MACE Change]] Using the Timestomp application, the modified date and time stamp can be completely changed (i.e., evidenced by the "Timestomp MACE Change" screenshot). If I were to change it, along with the other entries to more believable dates and times, then the validity of the document falls into question as does its ability to completely slip by an examiner's watchful eye if looking for modified files in an entirely different year or date span.

[[Image:timestomp_mace_change.jpg|thumb|100px|right|Timestomp MACE Change]] Using the Timestomp application, the modified date and time stamp can be completely changed (i.e., evidenced by the "Timestomp MACE Change" screenshot). If I were to change it, along with the other entries to more believable dates and times, then the validity of the document falls into question as does its ability to completely slip by an examiner's watchful eye if looking for modified files in an entirely different year or date span.

−

[[Image:timestomp_mace_change_proof.jpg|thumb|100px|right|Timestomp MACE Change Proof]] The "Timestomp MACE Change Proof" screenshot is a final shot of the Operating System's interpretation of the Modified time stamp. It reflects the aforementioned change exactly.

[[Image:timestomp_mace_change_proof.jpg|thumb|100px|right|Timestomp MACE Change Proof]] The "Timestomp MACE Change Proof" screenshot is a final shot of the Operating System's interpretation of the Modified time stamp. It reflects the aforementioned change exactly.

−

Note: Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program can delete all time stamp information, the lack of time stamp values would lead an examiner to the conclusion that something is amiss on the system. Microsoft-based [[Windows]] operating system record at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. On the flipside, if the values are simply changed to believable values, then there is little chance of the change(s) being noticed at a casual glance.

Note: Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program can delete all time stamp information, the lack of time stamp values would lead an examiner to the conclusion that something is amiss on the system. Microsoft-based [[Windows]] operating system record at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. On the flipside, if the values are simply changed to believable values, then there is little chance of the change(s) being noticed at a casual glance.

−

Timestomp cannot be used directly to modify all 8 time-stamp values, four of which lies in $STANDARD_INFORMATION attribute of an MFT entry, and other four in $FILE_NAME attribute. FN MACE values are intended to be modified by Windows , but still there is an indirect workaround to update those values in order to further frustate anti-forensics.

+

== A Practical Example ==

−

My findings are concerned with Windows XP SP2 and here is an illustration of those findings.

+

Timestomp cannot be used directly to modify all 8 timestamp values, four of which lies in $STANDARD_INFORMATION attribute of an MFT entry, and other four in $FILE_NAME attribute. $FN MACE values are intended to be modified by Windows, but still there is an indirect workaround to update those values in order to further frustate forensics.

−

1) Created c:\test.txt file

+

1) Create file (''c:\test.txt'')

−

[[Image:1.jpg]]

+

[[Image:1.jpeg]]

−

2) Changed timestamps using Timestomp

+

2) Change timestamps using Timestomp

timestomp.exe c:\test.txt -z "Saturday 10/08/2005 2:02:02 PM"

timestomp.exe c:\test.txt -z "Saturday 10/08/2005 2:02:02 PM"

timestomp.exe c:\test.txt -a "Saturday 10/08/2005 2:02:02 PM"

timestomp.exe c:\test.txt -a "Saturday 10/08/2005 2:02:02 PM"

−

[[Image:2.jpg]]

+

[[Image:2.jpeg]]

−

3) Pasted that file to some other folder c:\argument\test.txt (Moved )

Take for example the "Timestomp MACE Values" screenshot displaying a command prompt window displaying the MACE values for a document file titled "text.txt". There are (4) four date time and date stamps displayed that are useful to Forensic Examiners in reconstructing when data was last modified, accessed, created, or entered into the NTFS Master File Table by the operating system or manually by the user.

Timestomp MACE Change

Using the Timestomp application, the modified date and time stamp can be completely changed (i.e., evidenced by the "Timestomp MACE Change" screenshot). If I were to change it, along with the other entries to more believable dates and times, then the validity of the document falls into question as does its ability to completely slip by an examiner's watchful eye if looking for modified files in an entirely different year or date span.

Timestomp MACE Change Proof

The "Timestomp MACE Change Proof" screenshot is a final shot of the Operating System's interpretation of the Modified time stamp. It reflects the aforementioned change exactly.

Note: Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program can delete all time stamp information, the lack of time stamp values would lead an examiner to the conclusion that something is amiss on the system. Microsoft-based Windows operating system record at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. On the flipside, if the values are simply changed to believable values, then there is little chance of the change(s) being noticed at a casual glance.

A Practical Example

Timestomp cannot be used directly to modify all 8 timestamp values, four of which lies in $STANDARD_INFORMATION attribute of an MFT entry, and other four in $FILE_NAME attribute. $FN MACE values are intended to be modified by Windows, but still there is an indirect workaround to update those values in order to further frustate forensics.